Statistical intrusion detection in modern
networks
Michele Pagano
Department of Information Engineering
University of Pisa
XIII International Asian School-seminar
Problems of complex systems’ optimization
September 18-22, 2017
Akademgorodok
Outline
1 Theoretical background
2 How to evaluate an IDS
3 Anomaly Detection: Overview
4 Anomaly Detection: Examples
M. Pagano Statistical intrusion detection in modern networks 2 / 50
Theoretical background
Outline
1 Theoretical background
Overview
Taxonomy of the Intrusion Detection Systems
Examples of the Intrusion Detection Systems
2 How to evaluate an IDS
3 Anomaly Detection: Overview
4 Anomaly Detection: Examples
M. Pagano Statistical intrusion detection in modern networks 3 / 50
Theoretical background Overview
Why an intrusion detection system?
Network security mainly means PREVENTION
Physical protection for hardware
Passwords, access tokens, etc. for authentication
Access control list for authorization
Cryptography for secrecy
Backups and redundancy for authenticity
. . . and so on
BUT . . .
. . . Absolute security cannot be guaranteed!
M. Pagano Statistical intrusion detection in modern networks 4 / 50
Theoretical background Overview
What is an Intrusion Detection System?
Prevention is suitable when
Internal users are trusted
Limited interaction with other networks
Need for a system which acts when prevention fails
Intrusion Detection System
An intrusion detection system or IDS is a software/hardware
tool used to detect unauthorized access to a computer system
or a network
M. Pagano Statistical intrusion detection in modern networks 5 / 50
Theoretical background Overview
A bit of History
The history of IDSs can be split in three main blocks
1 First Generation IDSs (end of the 1970s)
The concept of IDS first appears in the 1970s and early
1980s (Anderson, Computer Security Monitoring and
Surveillance, Tech Rep 1980)
Focus on audit data of a single machine
Post processing of data
2 Second Generation IDSs (1987)
Intrusion Detection Expert System (Denning, An intrusion
Detection Model, IEEE Trans. on Soft. Eng., 1987)
Statistical analysis of data
3 Third Generation IDSs (to come)
Focus on the network
Real-time detection
Real-time reaction
Intrusion Prevention System
M. Pagano Statistical intrusion detection in modern networks 6 / 50
Theoretical background Overview
A taxonomy of the intruders
Intruders can be classified as
Masquerader: an individual who is not authorized to use
the computer and who penetrates a system’s access
control to exploit a legitimate user’s account
Misfeasor: a legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access, but
misuses his/her privileges
Clandestine User: an individual who seizes supervisory
control of the system and uses the control to evade
auditing and access controls or to suppress audit collection
Anderson, Computer Security Monitoring and Surveillance, Tech Rep 1980
M. Pagano Statistical intrusion detection in modern networks 7 / 50
Theoretical background Overview
A taxonomy of the intrusions
Eavesdropping and Packet Sniffing: passive interception of
network traffic
Snooping and Downloading
Tampering and Data Diddling: unauthorized changes to data
or records
Spoofing: impersonating other users
Jamming or Flooding: overwhelming a system’s resources
Injecting Malicious Code
Probing
Exploiting Design or Implementation Flaws: as buffer
overflow
Cracking Passwords and Keys
Denning, Cyberspace Attacks and Countermeasures, New York,1997
M. Pagano Statistical intrusion detection in modern networks 8 / 50
Theoretical background IDS Taxonomy
Host based vs. Network based
Host based IDS
Aimed at detecting attacks related to a specific host
Architecture/Operating system dependent
Processing of high level information (e.g. system calls)
Effective in detecting insider misuse
Network based IDS
Aimed at detecting attacks towards hosts connected to a
LAN
Architecture/Operating system independent
Processing data at lower level of granularity (packets)
Effective in detecting attacks from the “outside”
M. Pagano Statistical intrusion detection in modern networks 9 / 50
Theoretical background IDS Taxonomy
Misuse based IDS vs. Anomaly based IDS
Misuse based (Signature based, Rule based) IDS
Identifies intrusion by looking for patterns of traffic or of
application data presumed to be malicious
Pattern of misuses are stored in a database
Effective in detecting only “known” attacks
Encrypted traffic ???
Anomaly based IDS
Identifies intrusions by classifying activity as either
anomalous or normal
Need a training phase to recognize normal activity
Able to detect “new” attacks
Generates more false alarms than a misuse based IDS
M. Pagano Statistical intrusion detection in modern networks 10 / 50
Theoretical background IDS Taxonomy
Stateless IDS VS Stateful IDS
Stateless IDS
Treats each event independently of others
Simple system design
High processing speed
Stateful IDS
Maintains information about past events
The effect of a certain event depends on its position in the
events stream
More complex system design
More effective in detecting distributed attacks
M. Pagano Statistical intrusion detection in modern networks 11 / 50
Theoretical background IDS Taxonomy
Centralized IDS VS Distributed IDS
Centralized IDS
All the operations are performed by the same machine
More simple to realize
Only one point of failure
Distributed IDS
Composed of several components
Sensors which generate security events
Console to monitor events and alerts and control the sensors
Central Engine that records events and generate alarms
May need to deal with different data formats
Need of a secure communication protocol (IPFIX)
M. Pagano Statistical intrusion detection in modern networks 12 / 50
Theoretical background IDS Examples
SNORT
Snort
The most famous IDS
Open source software tool
Network based
Signature based
Centralized architecture
Spade, the anomaly detection plug-in for Snort... is not
supported any longer
The rules database, as well as the system code, is available for
download at the web site http://www.snort.org
M. Pagano Statistical intrusion detection in modern networks 13 / 50
Theoretical background IDS Examples
Attacks State of the Art
Howard Lipson, CMU Software Engineering Institute CERT R©
(Computer Emergency Response Team – by DARPA in 1988)
M. Pagano Statistical intrusion detection in modern networks 14 / 50
Theoretical background IDS Examples
IDS State of the Art
Focus is on Network based IDSs (The only ones effective
in detecting Distributed Denial of Service - DDoS)
State of the art IDSs are Misuse Based
Most attacks are realized by means of software tools
available on the Internet
Most attacks are “well-known” attacks
BUT . . .
. . . The most dangerous attacks are those written
ad hoc by the intruder!
M. Pagano Statistical intrusion detection in modern networks 15 / 50
Theoretical background IDS Examples
The best choice?
Combined use of both
HIDS (for insider attacks) & NIDS (for outsider attacks)
Misuse IDS (low False Alarm rate) & Anomaly IDS (for
“new” attacks)
Stateless IDS (fast data process) & Stateful IDS (for
“complex” attacks)
Distributed IDS
Not a single point of failure
More effective in monitoring large networks
M. Pagano Statistical intrusion detection in modern networks 16 / 50
Theoretical background IDS Examples
The best choice?
M. Pagano Statistical intrusion detection in modern networks 17 / 50
Evaluation
Outline
1 Theoretical background
2 How to evaluate an IDS
Receiver Operating Characteristics (ROC) Curve
Evaluation Datasets
3 Anomaly Detection: Overview
4 Anomaly Detection: Examples
M. Pagano Statistical intrusion detection in modern networks 18 / 50
Evaluation ROC
Basic definitions
A = alarm
−A = not an alarm
I = attack (intrusion)
−I = not an attack
False Positive (FP): the error of rejecting a null hypothesis
when it is actually true. In our case it implies the creation of
an alarm in correspondence of normal activities
P(A| − I) = False positive (alarm) probability
False Negative (FN): the error of failing to reject a null
hypothesis when it is in fact not true. In our case it
corresponds to a missed detection
P(−A|I) = False negative probability
M. Pagano Statistical intrusion detection in modern networks 19 / 50
Evaluation ROC
ROC (Receiver Operating Characteristics) Curve
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
False Alarm Rate
D
e
te
c
ti
o
n
R
a
te
Non Stati
